When conmon was killed podman rm -f currently fails but running it again
then works which doesn't really makes sense. We should properly remove
the contianer even if conmon is dead.
In fact the code already handles ErrConmonDead as stop error when we
remove the container but this error was never thrown anywhere. To fix
this throw ErrConmonDead instead of ErrInternal because that is not an
intenral error if something else killed conmon.
With this we can correctly cleanup and remove the container. The fact
that this works on the first try is important for quadlet units as they
only run the ExecStopPost= command once to remove it.
Fixes: #26640
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There is no reason for local and rmeote to use a different error that
just differs in quoting. Make them consitent to simplify the tests.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Updated helper function "find_exec_pid_files" and called it the "podman exec - leak check" test.
Fixes: #26616
Signed-off-by: Craig Spencer <craig.spencer812@gmail.com>
Prevent `podman volume export` from showing raw tar contents directly to the terminal (STDOUT). If not redirected and without output flag, error message is expected.
Fixes: #26506
Signed-off-by: Arthur Wu <lion811004@gmail.com>
I noticed recently when I made a typo that then auto-update errored but
it did not tell me which container was incorrect so I had to check all
containers myself. Include the container ID in the error to make it
clear which container has the issue.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Do not ignore ErrUnexpectedEOF from DemuxHeader(), if we fail to parse
the header there must have been a clear protocal error between client
and server which should be reported and not silently ignored. I wonder
ig this might explain why we have missing remote exec/attach output
without any error, it is possible we are eating some internal errors due
this.
Commit ba8eba83ef added the ErrUnexpectedEOF check but without any
explanation why that would be needed. The tests from that commit pass
without it locally but not in CI. With some debugging best I found the
issue is actually a test bug. The channel is not consumed until it is
closed which means the main test exists before the log reading goroutine
is done. And if the main test exists the first step it does is to kill
the podman service which then can trigger the ErrUnexpectedEOF server on
the still open http connection and thus the test case failed there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
DemuxFrame() already returns a byte slice with the correct length so
this makes it simpler and the caller does not need to check this at all.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
io.ReadFull() already returns ErrUnexpectedEOF if there was a short read
so this check is redundant and can be dropped.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The fuse-overlayfs example was misleading as setting fuse-overlayfs
will cause a persistent storage configuration change rather than a
one-time option.
Closes: https://github.com/containers/podman/issues/26590
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
It seems the new bpftrace version since 0.22 logs a warning if we try to
delete a key that does not exist.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On bpftrace 0.22 this fails to compile and load so the script currently
does not show us anything in CI there.
We need to clamp the string size a bit 128 chars seems more than enough
for the podman/conmon binary path length.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default has been set to 1024 which should bee good enough and better
than having to unroll this loop like that.
This is supported since bpftrace 0.22 which is in fedora 42.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For currently version of journalctl, --user option only works when
the persistent storage is enabled. So we need to check this option
before we use it. Otherwise a set of tests will failed with can
not find expected output from journalctl with rootless user.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Lock access to and modification of the index.json file, to ensure
concurrent addition/removal does not result in lost state. Use a
standard c/storage lockfile, making use of its r/w locking
ability to support concurrent access, only serializing writes.
This is not a very efficient locking scheme around artifact
removal and - especially - addition. I view this as the first
step, establishing any sort of mutual exclusion to prevent state
corruption. Step 2 is to adapt the staged removal work being
done to make image removal require only minimal use of locks,
ensuring it works with artifact addition. This staged addition
means we won't have to hold the lock for the full artifact pull.
Signed-off-by: Matt Heon <mheon@redhat.com>
When generating Conmon's command line, we read containers.conf to
get log_size_max and used it if the container didn't override it.
However, `podman inspect` only reads from the container's own
config, and ignores containers.conf. Unify the way we determine
maximum log size with a single function and use it for both
inspect and containers.conf, and add a test for this behavior.
Fixes https://issues.redhat.com/browse/RHEL-96776
Signed-off-by: Matt Heon <mheon@redhat.com>
Currently WSL uses UTF-16 encoded output by default but is planning
to use UTF-8.
See https://github.com/containers/podman/issues/26527
To get ready for the change we are enforcing UTF-8 encoded output by
setting the environment variable `WSL_UTF8=1` and by updating the
code that transfomed wsl output from UTF-16 to UTF-8.
Fixes https://github.com/containers/podman/issues/26527
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Given container logs end up in syslog by default, somewhat-clarify that `--syslog` is about podman logs, not container logs.
Signed-off-by: Chris Hofstaedtler <zeha@users.noreply.github.com>
During my binary size reduce experiments I often switch build tags
around but make binaries does not recompile in these cases.
It is annoying to always do touch cmd/podman/main.go so let's add it to
the SOURCES instead so the Makefile will recompile on changes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The build tag was added to remove the "golang.org/x/net/trace"
dependency[1]. So let's use that.
With that we reoduce the binary size by 432KB.
[1] https://github.com/grpc/grpc-go/pull/6954
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Unfortunately on a number of occasions, Podman has been released
officially with a `-dev` suffix in the version number. Assist in
catching this mistake at release time by the addition of a simple
conditional test. Note that it must be positively enabled by a
magic env. var. before executing the system tests.
Also (thanks to @lsm5) update the TMT test to trigger the new
condition for future Fedora releases.
Signed-off-by: Chris Evich <cevich@redhat.com>
An HTTP response with Content-Type application/json does not need
to be HTML escaped. Doing this causes encoding issues in the Podman
REST API output as seen in the issue:
Fixes#17769
Remove the HTML escaping from Content-Type: application/json responses.
Signed-off-by: Stef Walter <stef@thewalter.net>
Co-Authored-By: Claude <noreply@anthropic.com>
All callers ignore the error anyways so no reason to return it as the
function itself already logs it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We don't need a stub implementation as this code should never end up
being imported on non windows platforms.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make use of our custom ChoiceValue flag type instead of using yet
another type. With that we can remove the StringSet type.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Only one function, there are more public bindings that call a legit
server endpoint but are unused by podman-remote. As external users might
need/want them they should stay.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
One might think Close() should be called but we are already using
Shutdown() which is the graceful way to stop the server so we don't
actually need Close().
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Deadcode should that the ShouldRestart() API endpoint was never wired
into the router so the endpoint did not existed and the bindings called
a non existing endpoint which returnd 404 which the binding code
assumed means no restart.
As such remove all this code as it didn't do anything useful. And IMO
exposing a shouldrestart API always feeled wrong to me. The client
should not have to deal with this.
This commit does not change the behavior but it also does not make an
attempt to fix the broken restart handling with the rmeote client. Given
we do not seem to have any user reports about this it seems it is not
used.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The functionwas added but never wired into the cli option so there never
where shell completions for this.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Changed GitHub username from 'Neil-Smith' to 'actionmancan'
- Maintains Neil Smith's role as Community Manager
Signed-off-by: G A Neil Smith <nesmith@redhat.com>
With the recent release of krunkit 0.2.0, a CLI option was added to
enable nested virtualization on macOS hosts with an M3 or higher. Enable
this by default. If the host does not support this feature, krunkit will
ignore the argument and continue starting the VM.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Setup a local web server both for HTTP and HTTPS and make sure the
client rejects the connection and does not try to pull the image.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For unknown reasons systemd-resolved sometimes responds with NXDOMAIN
instead REFUSED which it seems to use by default for a local name
without domain part. So the fact that this works at all right now is
super weird.
In any case we just want to make sure the name did not get resolved so
allow both here to fix the flake.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Bump bundled krunkit to 0.2.2. This bundle also includes libkrun
1.14.0, allowing us to enable nested virt on M3 and M4 systems by
default.
Signed-off-by: Sergio Lopez <slp@redhat.com>
Allow users to target the most recently created container with
`podman update --latest` (short `-l`). The same option already exists
on many other commands, so this brings update in line with the rest of
the CLI and saves users from typing or looking up the newest container.
Fixes: #26380
Signed-off-by: Hayato Kihara <kai.21banana@gmail.com>
As with `volume export`, this was coded up exclusively in cmd/
instead of in libpod. Move it into Libpod, add a REST endpoint,
add bindings, and now everything talks using the ContainerEngine
wiring.
Also similar to `volume export` this also makes things work much
better with volumes that require mounting - we can now guarantee
they're actually mounted, instead of just hoping.
Includes some refactoring of `volume export` as well, to simplify
its implementation and ensure both Import and Export work with
readers/writers, as opposed to just files.
Fixes#26409
Signed-off-by: Matt Heon <mheon@redhat.com>
The field allows users to specify a custom stop signal (e.g., SIGUSR1) per container.
If defined, it overrides the default stop signal (SIGTERM) or that defined in the image metadata.
Fixes: #25389
Signed-off-by: Arthur Wu <lion811004@gmail.com>
A recent pasta update changed the selinux rules and we now run pasta
under pasta_t and no longer the container_runtime_t type. The pasta type
has much stricter type rules on what the file we hand it must be
labelled. This test tries to mount the runroot which gets relabeled with
the container_file_t type but that means pasta can no longer access its
pid file we give it. To fix this test here simply mount a subdir.
see #26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This patch adds three examples to the podman-generate-spec.1 man page:
- Example of executed without any options
- Example of executed with the `--compact` option
- Example of executed with the `--filename` option
Fixes: #26377
Signed-off-by: shu-kitamura <shusei3316@yahoo.co.jp>
In order to use parallel.Enqueue() it is required to call
parallel.SetMaxThreads() first. However in our main call we have been
doing this after we setup the initial runtime so just move this up.
And while at it move up the cpu and memory profile setup as well so we
can capture the earlier parts as well.
This was most likely introduced by commit 46d874aa52 ("Refactor graph
traversal & use for pod stop") which started using parallel.Enqueue() in
removePod() which then can get called from refresh() when a container
has autoremoval configured.
I tried many hard resets in VMs to reproduce but was unable to do so.
I always got "retrieving temporary directory for container xxx: no such
container" erros instead and it failed to autoremove but no panics.
Besides that many times c/storage was corrupted which made the image I
used unusable and it had to be deleted which is concerning in itself.
Fixes#26469
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add ExitPolicy key to pod quadlets with logic to default to stop.
Docs updated with clarifcation on default value and usage example.
Simple assert added to bats to verify default constraint exists.
Changed argument order in ginkgo basic pod unit test
Signed-off-by: Neil Bailey <nbsp@nbailey.net>
they allow to override the owner of the volume. Differently from
-o=uid= and -o=gid= they are not passed down to the mount operation.
Closes: https://issues.redhat.com/browse/RHEL-76452
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This patch adds an example of using the `--ingore` option to the podman-secret-rm.1 man page.
Fixes: #26361
Signed-off-by: shu-kitamura <shusei3316@yahoo.co.jp>
When I worked up changes to Buildah's Governance, I found
that Podman's version was missing a few links, and there were
a few minor grammatical tweaks needed.
This addresses those.
For reference, Buildah's Governance Update PR: https://github.com/containers/buildah/pull/6124
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This was not updated to the latest versions and CI and basically any
user should get in from their distro repos.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We no longer support CNI upstream and this default config file has not
been nedded for years since we started to generate our own default file
internally. And since 4.0.0 the default config file only exist in the
bianry and not on disk so this should not be installed by anyone even if
they still happen to use CNI.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We used this to load the iptables module, since f41 we use nftables by
default which does not need this at all so drop the module load file.
If some distros default still to the legacy iptables they can manually
add the moduled load file back.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This script does not bring accurate results. For nice dependency
analysis I can recommend goda:
https://github.com/loov/goda
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The config file is installed in the remote zip as an example but the
content in there is not being updated and no longer really the way to do
things. With podman 5.0 we have a proper system connection file and
people in general should just use the system connection commands.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This script was used when dependabot could not deal with vendoring, we
long since moved to renovate which handles it fine with manual steps so
remove this script.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It doesn't seem to be used anywhere and is not maintained. An up to date
specfile is found in the c/common repo.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This patch adds an example of using the --time option to the podman-network-rm.1 man page.
Fixes: #26373
Signed-off-by: shu-kitamura <shusei3316@yahoo.co.jp>
This patch adds two usage examples to the podman-system-migrate.1 man page:
- Normal invocation, with no expected output
- Migration to a new OCI runtime (e.g., from crun to runc)
Fixes: #26359
Signed-off-by: Arthur Wu <lion811004@gmail.com>
Previously, our approach was to inspect the volume, grab its
mountpoint, and tar that up, all in the CLI code. There's no
reason why that has to be in the CLI - if we move it into
Libpod, and add a REST endpoint to stream the tar, we can
enable it for the remote client as well.
As a bonus, previously, we could not properly handle volumes that
needed to be mounted. Now, we can mount the volume if necessary,
and as such export works with more types of volumes, including
volume drivers.
Signed-off-by: Matt Heon <mheon@redhat.com>
An artifact without the title annoation just gets the digest as name
which is less than ideal. While it is a decent default to avoid
conflicts users would like to configure the name.
With the name=abc option we will call the file abc in case of a signle
artifact and otherwise we use abc-x where x is the layer index starting
at 0 to avoid conflicts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the artifact has a single blob then use the dst path directly as
mount in case it does not exist.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The prior commit that expanded the examples added an out of
place heading to the manpage for podman-ps, which looks like
a probable AI tool hallucination.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The --pod flag is important for users working with pods but lacked
documentation examples. Added examples showing:
- Basic --pod usage to display pod information
- Using --pod with -a to show all containers and their pods
- Filtering containers by pod name
- Custom formatting with pod-related placeholders
Also: removed trailing whitespace on a few lines
Fixes#26367
Assisted-by: Claude Sonnet 4
Removed trailing whitespace on a few lines
Signed-off-by: Mike McGrath <mmcgrath@fedoraproject.org>
MH: Squashed, force-pushed to reset CI
Signed-off-by: Matt Heon <mheon@redhat.com>
The following manpages were missing examples of the `--all` flag:
* podman init
* podman pod pause
* podman secret rm
* podman system connection remove
* podman system prune
Added examples of all.
Fixes#26354
Signed-off-by: Matt Heon <mheon@redhat.com>
As title suggests, this PR is to add Craig as a reviewer role to the
Podman project. Craig is an expert in Windows and WSL. His
collaboration in issues, discussions, and pull requests should be an
asset to the project.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Mainly this fixes an issue of using /dev/zero for block device examples.
Also:
* fix section title;
* remove separate cgroup v2 and v1 examples, only leaving one;
* break long lines.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In case something other than a block device is supplied, podman proceeds
to apply settings for a block device with the same minor:major.
For example, "--blkio-weight-device /dev/zero:123" (alas, this is taken
literally from podman-update(1) EXAMPLES section) sets blkio weight
for /dev/ram5. Instead, it should error out since /dev/zero is not a
block device.
Add an appropriate check.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Refactor these functions to
- avoid repetition of common code (mostly stat of block device path);
- perform early return if nothing is to be done;
- remove some excessive nesting.
It also improves some error messages.
This is a preparation for the next commit.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
changing the validate-in-container make target to use
quay.io/libpod/validatepr:latest. this allows `make validate` to run to
completion doing linting, ed's perl checks, and pre-commit.]
The image is now based on F42 `awk` is not part of the base image, so I added `awk`.
Signed-off-by: Brent Baude <bbaude@redhat.com>
The prior version talked about potential access to DBus, but this is a
bogus warning: default OS setups do not bind DBus to localhost or to an
abstract Unix socket. It is possible that the original author was
thinking of CVE-2020–15257, which affected containerd's abstract Unix
socket; they fixed it by switching to a named socket, just as DBus
always (?) has done.
Signed-off-by: Warren Young <wyoung@tangentsoft.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Starting with [1] we now build and publish the wsl image from the
machine-os repo, as such this special case is no longer needed.
[1] https://github.com/containers/podman-machine-os/pull/142
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This script is no longer used as the device mapper storage driver was
removed over a year ago.
Commit 60692ca already removed the build tag reference but not this
script which set a buildtag for it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Dynamically link sqlite3 when installed, the main motivation is that we
reduce the podman binary size with that. I see about 2.5 MB savings.
But also dynamically linking it means if there a vulnerabilities only
the sqlite3 distro package needs updating and we don't have to make a
new podman release with the vendored update.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The local-cross Make target has superceeded this old Make target and the
warning to not use it has been in place now for 4+ years.
Removing it to clean up the Makefile slightly.
Signed-off-by: Lewis Roy <lewis@redhat.com>
This exclusion has been there since the make target was added[1]. I wasn't
able to find the reason but this runs on Darwin today and is useful to
be able to run when you are developing bindings on a Mac.
[1] https://github.com/containers/podman/pull/8956
Signed-off-by: Lewis Roy <lewis@redhat.com>
'noatime' flag disables updates to file access times when files are read. This can reduce unnecessary writes and improve performance, especially in read-heavy workloads. Previously, tmpfs did not recognize the 'noatime' mount option and would return an error.
With this change, tmpfs now properly accepts and handles the 'noatime' option.
Fixes: #26102
Signed-off-by: Arthur Wu <lion811004@gmail.com>
It has not been in use since commit f218f8430a and should have been
removed there. It seems somehow it is causing a bug since our env file
is empty. In that case it triggers a segfault and since that happens
from within pam we are unable to login in any way.
I reported the issue[1] but because we don't need this just remove it so
we don't have to wait for a fix.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2370858
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Do not write /etc/environment.d files, something is broken in the new
image that causes the boot to fail when any basic var is set there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users of WSL images currently get podman from the copr rpm on the
release PR with Epoch: 102. This is a problem if the user is looking to
update the image with packages from official Fedora repos.
This commit limits Epoch: 102 to only the podman rpms on
rhcontainerbot/podman-next copr. All other rpms, including other copr
rpms, will use the default Epoch.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
podman system check --quick currently only skips layer contents, but
practically it's not much quicker than without the flag.
This changes the flag to also skip checking layer digests which speed up
the check significantly.
In some cases, it is useful to opt for a quicker check if we prioritize
detecting and fixing severe corruption and can tolerate minor damage.
The check option is derived from CRI-O's internal repair:
9e4d86d823/internal/lib/container_server.go (L860)
Signed-off-by: Sonny Sasaka <sonnysasaka@gmail.com>
Two incomptable changes, they removed the BridgeNfIP6tables
and BridgeNfIptables fields so we must drop them. As they are not
important ones that should not cause problems.
Second, they moved to using DockerOCIImageConfig from another new module.
The json format did not chnage so this is not an external API break.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
this patch changes how the detection of wsl works.
The old way of using wsl --status command output to detect some missing features required by WSL is not fully reliable.
WSL checks if the wsl feature is enabled and if the vmcompute service do exist. However, this is not enough to identify if the virtual machine platform feature is enabled. The vmcompute service could exist because it has been installed by other tools or it could exist but being stopped.
The way proposed by this patch is to try execute the import command and,
if it fails, check the error and if it is related to the Host Compute
Service try to install all features required by WSL.
The flow is the same as before, the user is asked to execute the podman
machine init command with elevated privileges. Eventually, after
enabling WSL and VMP features, the user is asked to reboot the machine.
When the machine restarts, the powershell gets invoked again and execute
the command init.
The code also fixes some issues that could cause misbehaviors when
invoking recursively the elevated shell, like an unreleased lock, or a
missing file.
Signed-off-by: lstocchi <lstocchi@redhat.com>
This patch adds a new endpoint to the REST API called "artifacts" with
the following methods:
- Add
- Extract
- Inspect
- List
- Pull
- Push
- Remove
This API will be utilised by the Podman bindings to add OCI Artifact
support to our remote clients.
Jira: https://issues.redhat.com/browse/RUN-2711
Signed-off-by: Lewis Roy <lewis@redhat.com>
podman's logic to parse excludes from `--ignorefile` is not consistent
with buildah, use code directly from imagebuilder.
Closes: https://github.com/containers/podman/issues/25746
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Added support for "podman buildx inspect". The goal was to replicate the default output from "docker buildx inspect" as
much as possible but a problem encountered was podman not supporting BuildKit. To replicate the output I resorted to
printing the statements with default values but only changed the driver name to use podman instead of docker. Since
there was no buildkit, gave it the value of "N/A" to depict it's not supported. For Platforms, I resorted to using
the emulated architectures found on your linux system + the host architecture of your local machine or podman server. The
bootstrap flag was also added but is considered a NOP since there is no buildkit container to run before running inspect.
An extra field was added to the HostInfo struct so when you run "podman info" the emulated architectures will show, this
was used so you can grab the information from the podman engine.
Fixes#13014
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
We should fully replace the options, now that we vendored the
libnetwork/resolvconf changes into podman this just works.
Fixes: #22399
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Previously there is a minor logic error, which causes podman system
check to do the check twice although there is no repair flag.
Signed-off-by: Sonny Sasaka <sonnysasaka@gmail.com>
We like to append the host servers in that case so that we do not only
force dns.podman.
Fixes: #24713
Fixes: https://issues.redhat.com/browse/RHEL-83787
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Netavark v1.15 added new warnings on some invalid names and that
triggerd a new test failure in podman e2e test.
The "Podman kube play with disabled cgroup" case now complains about an
empty name:
podman [options] kube play /tmp/CI_aM20/podman-e2e-3156601197/subtest-3441376193/p/kube.yaml
[WARN netavark::network::bridge] invalid network alias "": name is empty, ignoring this name
This is because this test does not set a container name thus the code
was adding an empty string so to fix it check if the name is not empty
first.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We are not opting into the ostree backend, and it doesn't
build: https://github.com/containers/image/pull/2821 .
So, stop referencing the dependency.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Docker does not require `--type` to be passed, defaulting to
`type=volume` in cases where it's not passed. Do the same in our
volume parsing, and add a test to verify this works as expected.
Fixes#26101
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Given I wrote this and I still mess it up on a regular basis, I
cannot be alone in forgetting whether "dst" or "dest" is the
correct short option for "destination". Let's just make both
valid, I don't see a reason not to.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Remove no longer correct statement that quadlet that does not translate
our own custom unit types
Fixes: e498c652 ("Quadlet - translate dependencies on other quadlet units")
Fixes: #26243
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Currently setting log_tag from containers.conf will override any value
set via --log-opt tag=value option. This commit fixes this.
Fixes: https://github.com/containers/podman/issues/26236
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
Per Adrian Reber, the aarch64 kernel doesn't support the soft dirty bit
and support isn't expected anytime soon.
Ref: https://github.com/checkpoint-restore/criu/issues/2676
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
When using `docker compose run --entrypoint ''`, docker sends
`"Entrypoint": []` in the JSON. Podman currently treats that
as `nil` and fallback to default image entrypoint.
This is not what is expected by the user. Instead, it should
not use any entrypoint.
This commit fixes it by properly propagating the `[]` downstream
to libpod.
Fixes: #26078
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
When a container has no image, i.e. using rootfs like our new infra
containers then the Image function crashed trying to show the first 12
image ID chars. If there is no image simply show nothing there.
Fixes: #26224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Specifically, this does two things:
1. Turn on case-sensitive LIKE queries. Technically, this is not
specific to volumes, as it will also affect container and pod
lookups - but there, it only affects IDs. So `podman rm abc123`
will not be the same as `podman rm ABC123` but I don't think
anyone was manually entering uppercase SHA256 hash IDs so it
shouldn't matter.
2. Escape the _ and % characters in volume lookup queries. These
are SQLite wildcards, and meant that `podman volume rm test_1`
would also match `podman volume rm testa2` (or any character in
place of the underscore). This isn't done with pod and container
lookups, but again those just use LIKE for IDs - so technically
`podman volume rm abc_123` probably works and removes containers
with an ID matching that pattern... I don't think that matters
though.
Fixes#26168
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
After the system reboot, the Rootfs for infra-container can
be removed. This can happen when it is stored on tmpfs.
This commit recreates the infra-container directory which is
used for Rootfs for infra-container before mounting it.
Fixes: #26190
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
The e2e tests for device access involving /dev/kmsg could fail
intermittently. This was due to a race condition where concurrent
writes to the kernel log buffer by other processes, while the test
was reading from /dev/kmsg, could cause the read to fail with ESPIPE.
Fixes: https://github.com/containers/podman/issues/23882
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The Windows source folder path was not converted in the corresponding
machine folder path when the volume was of type overlay as it does for
other bind mount volumes.
Fix#25988
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
getAllDependencies() skips recursing into dependencies that are already
running, but BuildContainerGraph() expects a *complete* set of inputs
and returns an error if any are missing. Thus, podman will fail to start
a container with already-running direct dependencies that, in turn, have
their own dependencies.
None of the other callers of BuildContainerGraph() omit anything from
their list of containers, so follow the same approach here, and just
let startNode figure out if a start is actually needed.
Fixes: containers/podman-compose#921
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Hard coding to none without checking containers.conf is not a good idea
as users who liked the previous behavior and the podman default behavior
of keeping the hosts entries can no longer do that.
With this commit they can set base_hosts_file = "/etc/hosts" to restore
the previous behavior.
Fixes: https://issues.redhat.com/browse/RHEL-92995
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Our release is created by a GitHub action, and GitHub prevents workflows from running on events that were caused by other workflows to prevent unlimited recursion.
To get around this, use a reusable workflow to trigger the podman.io version bump from the release action.
Signed-off-by: Ashley Cui <acui@redhat.com>
If we're not planning to automatically push every new release to centos
stream, then this job only ends up causing noise.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Access to the cpuset cgroup controller is needed to run these tests.
Configuration on the CI workers prevents access to this controller
for rootless pods.
Signed-off-by: François Poirotte <clicky@erebot.net>
This commit adds two new annotations named
io.podman.annotations.cpuset/$ctrname and
io.podman.annotations.memory-nodes/$ctrname
The first one allows restricting a container's execution to specific
CPU cores while the second restricts memory allocations to specific
NUMA memory nodes. They are also added automatically when the
--cpuset-cpus and --cpuset-mems options are used.
Fixes: containers#26172
Signed-off-by: François Poirotte <clicky@erebot.net>
There is no reason to deifne a dummy service to run sleep just to get
the podman.socket enabled. Enabeling a service is just creating the
symlink so we can do that for the user sessions as well.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When a custom username is requested we must stil enable lingering for
it. The linger setup in the coreos image with the hard coded core user
doesn't really make sense as it doesn't work when another name is used.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The podman machine copy test "attempt copying file to a new directory"
was failing because on recent version of Windows the error message
doesn't match the expected error message. To make it work on new and
old version of Windows both old and new error messages are now
considered as valid.
Fixes https://github.com/containers/podman/issues/26056
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The image quay.io/libpod/alpine_nginx doesn't have a `linux/arm64` version
and the test "Single character volume mount" on Windows ARM64 was
failing. Changing it to TESTIMAGE (quay.io/libpod/testimage) fixes it.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The count function for / and /proc results in the same value so the
order is not guaranteed. We must ensure that a / mount is always first
in the spec so that other mounts are not overshadowed by it.
Fixes: #26161
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We've added a bunch of new automation to make releases easier. Update RELEASE_PROCESS.md to reflect the changes.
Signed-off-by: Ashley Cui <acui@redhat.com>
We do our proper machine os image builds in podman-machine-os now and
with [1] we also publish a next tag for easy testing. As such this
action is no longer needed.
[1] https://github.com/containers/podman-machine-os/pull/128
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
A recent change[1] in netavark makes it so we no longer set the default
dns.podman search domain. As such we must no longer test for it.
Follow up to 254ab3b90f ("test/system: do not check dns.podman")
[1] https://github.com/containers/netavark/pull/1214
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
runc is not the only runtime supporting --pre-checkpoint
crun commit 0683fec8b mentions
"This commit takes the interface as implemented in runc and implements it
for crun. "
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
When podman restarts config values within the Engine are lost.
Add --hook-dirs arguments as appropriate to the cleanup command
so that hooks are preserved on restarts due to the on-restart setting
Tests: add a check that prestart/poststop hooks ran every time after 2
restarts.
`wait_for_restart_count` was re-used to wait for restarts and moved to
helpers file.
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Fixes: #17935
The conditions are always true so they can be removed. And in the case
of exportCheckpoint() the scope means addToTarFiles was overwritten and
thus when it looped over it later the slice was always empty.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Previously, the HealthCheck exec session would not terminate on timeout, allowing the healthcheck to run indefinitely.
Fixes: https://issues.redhat.com/browse/RHEL-86096
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
This fixes an issue where multiple paths separated by a colon were
treated as a single path, contrary to what docs say and unlike how mask
option works.
Test was updated with a case that fails without this commit.
Signed-off-by: Šimon Škoda <ver4a@uncontrol.me>
Adds the build of the arm64 windows installer as part of the release
GitHub workflow.
When a Windows installer is uploaded to the GitHub release, it is named
consistently with the macOS one:
`podman-installer-windows-${GOARCH}.exe`
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Includes the necessary changes so that the `Makefile` target
`release-artifacts` builds the `-windows_arm64.zip` too.
In particular the arm64 versions of gvproxy and win-sshproxy
are downloaded as part of the windows arm64 release zip file.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
This is a followup of https://github.com/containers/podman/pull/26048
It fixes `process-release.ps1` that was always looking for the amd64 release
zip file, even if `$env:PODMAN_ARCH` was set to arm64. With this fix it looks
for the right zip file.
It fixes `winmake.ps1` that, when the `-arch` param was not passed, set `$env:PODMAN_ARCH`
to the empty string instead of the local `$env:GOARCH`.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
When container is being removed, podman iterates
through its exec sessions and checks whether exec
session pid is still alive.
The problem is that the pid can be reused for other processes,
so that it may not belong to exec session.
In this scenario podman may kill another process
This commit prevents it by doing following changes:
- Adds the PIDData string to ExecSession struct. This string
is used to store additional context for a PID to later verify
that the PID killed by the podman is really the one started by
it.
- Adds new package called pidhandle which implements the methods
generating the PIDData, and killing the PID with the PIDData
ensuring the right PID is killed by verifying the metadata.
The new code uses pidfd_open and name_to_handle_at when available.
It fallbacks to process start-time get using the gopsutil package.
Fixes: #25104
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Create GitHub action to automatically bump to a -dev version after a release is tagged.
On a branch:
- The bump will always be a z bump on branches
- If the bump is to an RC, then the bump will be back down to dev (ie, 9.9.0-rc1 to 9.9.0-dev)
- If the bump is not an RC, the bump wil be up to dev (ie, 9.9.0 to 9.9.1-dev)
On main:
- If the X.Y version on main is smaller than the X.Y on the release tag, this action will open a PR to bump the version on main to the release tag's X.Y+1
- Major version (X) dev bumps will still need to be manual
Signed-off-by: Ashley Cui <acui@redhat.com>
Winmake could only build amd64 artifacts (podman-remote, gvproxy,
win-sshproxy, podman.msi and podman-setup.exe).
This commit makes the necessary change to winmake so that it:
1) builds arm64 artifacts when executed on arm64
2) cross-compiles to arm64/amd64 with the `-architecture` parameter
It depends on https://github.com/containers/podman/pull/26023 that
removes the need to build `check.c` code (that is not used anyway).
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
This commit introduces TMT test jobs triggered via packit to run system
tests on testing-farm infrastructure. Tests are run for
Fedora 41, 42 and rawhide on x86_64. The same
test plan will be reused by Fedora for bodhi, zuul and fedora-ci gating
tests. Packit will handle syncing of test plan and sources from upstream
to downstream.
Packit failure notification has also been updated to be less noisy and
let people know they are free to ignore any failures.
TODO:
1. Enable jobs for CentOS Stream and aarch64 envs.
2. Enable separate set of jobs for release branches as they need to be
tested with official distro packages, not with bleeding-edge
packages.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Get the timezone off the localtime symlink like systemd does it.
It is more efficient then fork/exec another command for it that may or
may not exits and the /etc/timezone files doesn't exist on most distros
so that is not a great fallback.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If you run timedatectl inside it will not show the correct timezone, it
seems systemd really wants a relative link which is also documented by
coreos[1]. Also we can just use path.Join() directly and don't have to
convert the path again on windows.
[1] https://docs.fedoraproject.org/en-US/fedora-coreos/time-zone/#_setting_the_time_zone_via_ignition
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It makes no sense to forward it, SIGSTOP cannot be handled by
userspace (like SIGKILL) and it didn't do anything before so this just
makes it more explicit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Instead of catching all signals and then ignoring them inside the loop
again just don't register them in Notify() to begin with.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the container is already removed do not log a warning as this happens
in parallel so it is possible the container was already removed. The
flake was shown in https://github.com/containers/podman/pull/26017.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The tests for device I/O limits were using `/dev/zero`,
which is not a block device suitable for these cgroup
controls.
Update the tests to use `/dev/nullb0` if it exists.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The tests were incorrectly using `/dev/zero`. These options are
intended to set I/O limits on specific block devices.
The test already sets up a loopback device, so reuse it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Cgroup block I/O limits cannot be applied to character devices.
Ignore character devices in the inspect output.
Update the API tests to use the null block device `/dev/nullb0` (if
available) instead of `/dev/zero` for testing I/O limits.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
In cases where systemd was not available, podman machine was erroring
out using timedatectl (it requires systemd). on other providers like
windows, we don't do any timezone detection so it seems valid to return
a "" for timezone. This fixes the first problem described #25950.
Fixes: https://github.com/containers/podman/issues/25950
Signed-off-by: Brent Baude <bbaude@redhat.com>
This PR removes the file `check.c` and the instructions
to build it. The file was still built but the resulting
dll was not used by the installer anymore (see
https://github.com/containers/podman/pull/25237).
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Machines configured to mount local paths containing
spaces failed to start on Hyper-V and silently failed
to mount the folder on macOS/Linux.
On Windows/hyperv, where local paths are mounted
running a 9p client inside the VM, the local host
path needs to be surrounding with quotation marks
before using in a `podman machine ssh ...` command.
A similar behavior happened on Linux/QEMU where the
path was used in a SSH command to mount the folder
using virtiofs. Quoting the path when buidling the
command arguments fixed the problem.
On macOS/libkit,applehv the path was written as is
in a systemd unit name to instruct how to mount it.
Escaping space chars so that they are are parsed
successfully fixed this:
```diff
-- enable path with spaces.mount
++ enable path\x20with\x20spaces.mount
```
Fixes https://github.com/containers/podman/issues/25500
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Otherwise we evaluate NATIVE_GOOS before it is set, which breaks the
FreeBSD build since various make variables are not set correctly.
Fixes: #26006
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
In the instance where the user sends a signal, such as SIGINT (Ctl-c)
when a Podman Machine is in the middle of starting, make sure the state
doesn't get stuck in the "Currently Starting" status.
Resolves: #24416
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Locally building the windows installer requires to
build the documentation. And building documentation
requires Pandoc.
There is no pre-built binaries for Windows arm64
and this makes it complicated to build the Podman
Windows installer on Windows arm64.
To unlock this scenario we are adding a new winmake.ps1
target to build the documentation in a container (where
Pandoc is pre-installed).
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Also remove the outdated comment that said to update the version in the
README.md file, that is no longer there since commit 8e7f98ae65
("docs(readme): add status badges and remove hardcoded release info").
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If this fails we should know exactly what failed. The underlying
connection error might just be unexpected EOF or somthing which is not
helpful.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In the case of an Decoder error which is not EOF we loop forever, as the
Decoder stores some errors each next Decode() call will keep returning
the same error. Thus we loop forever until we run out of memory as each
error was stored in pullErrors array as described in [1].
Note this does not actually fix whatever causes the underlying
connection error in the issue, it just fixes the loop/memory leak.
[1] https://github.com/containers/podman/issues/25974
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add `--swap` argument to `podman machine init` command.
Passing an int64 value to this flag will trigger the Podman machine
ignition file to be generated with a zram-generator.conf file containing
the --swap value as the zram-size argument.
This file is read by the zram-generator systemd service on boot
resulting in a zram swap device being created.
Fixes: https://github.com/containers/podman/issues/15980
Signed-off-by: Lewis Roy <lewis@redhat.com>
Command `podman machine init` for Hyper-V machines invokes the command
`podman machine server9` and redirects it's output to a file. But the
file descriptor was closed before beeing used and the output file was
always empty.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The `OWNERS` file contains an incorrect Github handle `honny1`. The correct Github handle is `Honny1`. This causes `/approve` comments to have no effect on PR. The `MAINTAINERS.md` file contains the correct Github handle.
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
The JSON decoder correctly cannot decode (overflow) negative values (e.g., `-1`) for fields of type `uint64`, as `-1` is used to represent `max` in `POSIXRlimit`. To handle this, we use `tmpSpecGenerator` to decode the request body. The `tmpSpecGenerator` replaces the `POSIXRlimit` type with a `tmpRlimit` type that uses the `json.Number` type for decoding values. The `tmpRlimit` is then converted into the `POSIXRlimit` type and assigned to the `SpecGenerator`.
This approach ensures compatibility with the Podman CLI and remote API, which already handle `-1` by casting it to `uint64` (`uint64(-1)` equals `MaxUint64`) to signify `max`.
Fixes: https://issues.redhat.com/browse/RUN-2859
Fixes: https://github.com/containers/podman/issues/24886
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
The Docker `-XDELETE image/$name?force=true` endpoint only removes
containers using an image if they are in a non running state.
In Podman, when forcefully removing images we also forcefully delete
containers using the image including running containers.
This patch changes the Docker image force delete compat API to act like the
Docker API while maintaining commands like `podman rmi -f $imagename`
It also corrects the API return code returned when an image is requested
to be deleted with running containers using it.
Fixes: https://github.com/containers/podman/issues/25871
Signed-off-by: Lewis Roy <lewis@redhat.com>
The test is checking that named volumes could be used. FS mount is not
needed and there is no code testing anything around it.
Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
Like podman run --rm, start --attach must also ensure the contianer is
removed before it exist. Otherwise there is a race where the container
still exist after the command exits, because removal would only happen
by the cleanup process in the background.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This looks like debug leftover, in any case this is not an error so
simply remove the line.
Fixes#25965
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Packit's default behaviour of merging commits on PR copr build jobs ends
up creating a HEAD commit ID that doesn't exist upstream. This commit
disables that behaviour.
This way, copr builds from release PR can be used for podman-machine-os
builds.
Co-authored-by: Matej Focko <mfocko@users.noreply.github.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The backstory for this is that runc 1.2 (opencontainers/runc#3967)
fixed a long-standing bug in our mount flag handling (a bug that crun
still has). Before runc 1.2, when dealing with locked mount flags that
user namespaced containers cannot clear, trying to explicitly clearing
locked flags (like rw clearing MS_RDONLY) would silently ignore the rw
flag in most cases and would result in a read-only mount. This is
obviously not what the user expects.
What runc 1.2 did is that it made it so that passing clearing flags
like rw would always result in an attempt to clear the flag (which was
not the case before), and would (in all cases) explicitly return an
error if we try to clear locking flags. (This also let us finally fix a
bunch of other long-standing issues with locked mount flags causing
seemingly spurious errors).
The problem is that podman sets rw on all mounts by default (even if
the user doesn't specify anything). This is actually a no-op in
runc 1.1 and crun because of a bug in how clearing flags were handled
(rw is the absence of MS_RDONLY but until runc 1.2 we didn't correctly
track clearing flags like that, meaning that rw would literally be
handled as if it were not set at all by users) but in runc 1.2 leads to
unfortunate breakages and a subtle change in behaviour (before, a ro
mount being bind-mounted into a container would also be ro -- though
due to the above bug even setting rw explicitly would result in ro in
most cases -- but with runc 1.2 the mount will always be rw even if
the user didn't explicitly request it which most users would find
surprising). By the way, this "always set rw" behaviour is a departure
from Docker and it is not necesssary.
Signed-off-by: rcmadhankumar <madhankumar.chellamuthu@suse.com>
This was discovered by a user while testing Podman on FreeBSD
(oci-playground/freebsd-podman-testing/issues/17). The error message
didn't stop 'podman system reset' from working and this commit simply
suppressses the error on FreeBSD.
Signed-off-by: Doug Rabson <dfr@rabson.org>
2025-02-11 15:13:29 +00:00
2061 changed files with 46985 additions and 120555 deletions
@ -117,6 +117,10 @@ Pull requests that change the vendor/ directory directly will not be accepted.
Instead, changes should be submitted to the original package (defined by the path in `vendor/`; for example, `vendor/github.com/containers/storage` is the [containers/storage library](https://github.com/containers/storage/).
Once the changes have been merged into the original package, Podman's vendor directory can be updated by using `go get` on the appropriate version of the package, then running `make vendor` or `make vendor-in-container`.
## Codebase structure
Description about important directories in our repository is found [here](./docs/CODE_STRUCTURE.md).
## Testing
Podman provides an extensive suite of regression tests in the `test/` directory.
@ -236,7 +240,7 @@ It’s important to describe the change in plain English for the reviewer to ver
Solve only one problem per patch.
If your description starts to get long, that’s a sign that you probably need to split up your patch.
If the patch fixes a logged bug entry, refer to that bug entry by number and URL.
If the patch fixes a logged bug entry, refer to that bug entry by number or URL.
If the patch follows from a mailing list discussion, give a URL to the mailing list archive.
Please format these lines as `Fixes:` followed by the URL or, for Github bugs, the bug number preceded by a #.
@ -174,7 +174,7 @@ Emeritus Maintainers have no responsibilities or requirements beyond those of an
# Maintainers File
The definitive source of truth for maintainers of a repository is the MAINTAINERS.md file in that repository. The [MAINTAINERS.md](./MAINTAINERS.md) file in the main Podman repository is used for project-spanning roles, including Core Maintainer and Community Manager. Some repositories in the project will also have an OWNERS file, used by the CI system to map users to roles. Any changes to the [OWNERS](./OWNERS) file must make a corresponding change to the [MAINTAINERS.md](./MAINTAINERS.md) file to ensure that file maintains up to date. Most changes to MAINTAINERS.md will require a change to the repository’s OWNERS file (e.g. adding a Reviewer) but some will not (e.g. promoting a Maintainer to a Core Maintainer, which comes with no additional CI-related privileges).
The definitive source of truth for maintainers of this repository is the local [MAINTAINERS.md](./MAINTAINERS.md) file. The [MAINTAINERS.md](./MAINTAINERS.md) file in the main Podman repository is used for project-spanning roles, including Core Maintainer and Community Manager. Some repositories in the project will also have a local [OWNERS](./OWNERS) file, which the CI system uses to map users to roles. Any changes to the [OWNERS](./OWNERS) file must make a corresponding change to the [MAINTAINERS.md](./MAINTAINERS.md) file to ensure that file remains up to date. Most changes to [MAINTAINERS.md](./MAINTAINERS.md) will require a change to the repository’s [OWNERS](./OWNERS) file (e.g., adding a Reviewer), but some will not (e.g., promoting a Maintainer to a Core Maintainer, which comes with no additional CI-related privileges).
| Neil Smith | [actionmancan](https://github.com/actionmancan) | Community Manager | [Red Hat](https://github.com/RedHatOfficial) |
| Tom Sweeney | [TomSweeneyRedHat](https://github.com/TomSweeneyRedHat/) | Maintainer and Community Manager | [Red Hat](https://github.com/RedHatOfficial) |
- A new command has been added, `podman machine cp`, to copy files into a running `podman machine` VM.
- A new command has been added, `podman artifact extract`, to copy some or all of the contents of an OCI artifact to a location on disk.
- The `--mount` option to `podman create`, `podman run`, and `podman pod create` now supports a new mount type, `--mount type=artifact`, to mount OCI artifacts into containers.
- The `podman artifact add` command now features two new options, `--append` (to add new files to an existing artifact) and `--file-type` (to specify the MIME type of the file added to the artifact) ([#25884](https://github.com/containers/podman/issues/25884)).
- The `podman artifact rm` command now features a new option, `--all`, to remove all artifacts in the local store.
- The `--filter` option to `podman pause`, `podman ps`, `podman restart`, `podman rm`, `podman start`, `podman stop`, and `podman unpause` now accepts a new filter, `command`, which filters on the first element (`argv[0]`) of the command run in the container.
- The `podman exec` command now supports a new option, `--cidfile`, to specify the ID of the container to exec into via a file ([#21256](https://github.com/containers/podman/issues/21256)).
- The `podman kube generate` and `podman kube play` commands now supports a new annotation, `io.podman.annotation.pids-limit/$containername`, preserving the PID limit for containers across `kube generate` and `kube play` ([#24418](https://github.com/containers/podman/issues/24418)).
- Quadlet `.container` units now support three new keys, `Memory=` (set maximum memory for the created container), `ReloadCmd` (execute a command via systemd `ExecReload`), and `ReloadSignal` (kill the container with the given signal via systemd `ExecReload`) ([#22036](https://github.com/containers/podman/issues/22036)).
- Quadlet `.container`, `.image`, and `.build` units now support two new keys, `Retry` (number of times to retry pulling image on failure) and `RetryDelay` (delay between retries) ([#25109](https://github.com/containers/podman/issues/25109)).
- Quadlet `.pod` units now support a new key, `HostName=`, to set the pod's hostname ([#25639](https://github.com/containers/podman/issues/25639)).
- Quadlet files now support a new option, `UpheldBy`, in the `Install` section, corresponding to the systemd `Upholds` option.
- The names of Quadlet units specified as systemd dependencies are now automatically translated - e.g. `Wants=my.container` is now valid.
- Podman now generates events for the creation and removal of secrets ([#24030](https://github.com/containers/podman/issues/24030)).
- A new global option has been added to Podman, `--cdi-spec-dir`, to specify additional search paths for CDI specs to the CDI loader ([#18292](https://github.com/containers/podman/issues/18292) and [#25691](https://github.com/containers/podman/issues/25691)).
- The `podman build` command now supports a new option, `--inherit-labels` (defaults to true), which controls whether labels are inherited from the base image or base stages.
- The `podman update` command now supports two new options, `--env` and `--unsetenv`, to alter the environment variables of existing containers ([#24875](https://github.com/containers/podman/issues/24875)).
### Breaking Changes
- Due to changes in Docker API types, two small breaking changes have been made in the Go bindings for the REST API. The `containers.Commit()` function now returns a new struct (`types.IDResponse`) with identical contents, and the `containers.ExecCreate` function's `handlers.ExecCreateConfig` parameter now contains a different embedded struct, potentially requiring changes to how it is assigned to.
### Changes
- Podman now requires at least Go 1.23 to build.
- Healthchecks have been refactored to avoid writing to the database as much as possible, greatly improving performance on systems with many simultaneous healthchecks running.
- Healthchecks now have a new status, `stopped`, which is reported if the container the healthcheck was run on stopped before the check could be completed ([#25276](https://github.com/containers/podman/issues/25276)).
- Containers in pods are now stopped in order based on their dependencies, with the infra container being stopped last, preventing application containers from losing networking before they are stopped due to the infra container stopping prematurely.
- Due to challenges with handling automatic installation, the Windows installer no longer installs WSLv2 or Hyper-V.
- Quadlet will now print warnings when skipping lines to help identify malformed Quadlet files ([#25339](https://github.com/containers/podman/issues/25339)).
- Creating `podman machine` VMs with a host mount over the VM's `/tmp` directory is no longer allowed ([#18230](https://github.com/containers/podman/issues/18230)).
- The `podman logs` command now allows options to be specified after the container name (e.g. `podman logs $containername --follow`) ([#25653](https://github.com/containers/podman/issues/25653)).
- Podman, by default, no longer uses a pause image for pod infra and service containers. Instead, a root filesystem containing only the `catatonit` binary will be used ([#23292](https://github.com/containers/podman/issues/23292)).
- The `podman system reset` command no longer removes the user's `podman.sock` API socket.
- When using Netavark v1.15 and higher, containers in non-default networks will no longer have the default search domain `dns.podman` added. Queries resolving such names will still work.
- Stopping a Quadlet `.network` unit will now delete the network (if no containers are actively using it) ([#23678](https://github.com/containers/podman/issues/23678)).
- For security hardening, the `/proc/interrupts` and `/sys/devices/system/cpu/$CPU/thermal_throttle` paths are now masked by default in containers ([#25634](https://github.com/containers/podman/issues/25634)).
### Bugfixes
- Fixed a bug where healthchecks would still run while a container was paused ([#24590](https://github.com/containers/podman/issues/24590)).
- Fixed a bug where the remote Podman client on Windows could not mount named volumes with a single-character name into containers ([#25218](https://github.com/containers/podman/issues/25218)).
- Fixed a bug where mounting an image could panic when run without `CAP_SYS_ADMIN` ([#25241](https://github.com/containers/podman/issues/25241)).
- Fixed a bug where Podman would not report errors when setting up healthchecks ([#25034](https://github.com/containers/podman/issues/25034)).
- Fixed a bug where the `podman exec` command would not add the additional groups of the user the exec session was run as unless the user was explicitly added with the `--user` option ([#25610](https://github.com/containers/podman/issues/25610)).
- Fixed a bug where errors during the `podman network connect` and `podman network disconnect` commands could create errors in the database which would cause `podman inspect` on the container to fail.
- Fixed a bug where the `podman kube generate` command did not correctly generate YAML for volume mounts using a subpath.
- Fixed a bug where the `podman system df` command could show a negative reclaimable size.
- Fixed a bug where accessing a rootful `podman machine` VM that was not `podman-machine-default` (the default VM) with the `podman machine ssh` command would put the user into the rootless shell ([#25332](https://github.com/containers/podman/issues/25332)).
- Fixed a bug where the `podman machine init` would report nonsensical memory values in error messages when trying to create a machine with more memory than the system.
- Fixed a bug where the remote Podman client's `podman start --attach` command would incorrectly print an error when run on a container created with the `--rm` option ([#25965](https://github.com/containers/podman/issues/25965)).
- Fixed a bug where the remote Podman client's `podman pull` command could hang and leak memory if the server was unexpectedly stopped or encountered an error during a pull.
- Fixed a bug where the remote Podman client's `podman cp` command would, on Windows, often fail to copy files into the container due to improper handling of Windows paths ([#14862](https://github.com/containers/podman/issues/14862)).
- Fixed a bug where the `podman container clone` command did not correctly copy healthcheck settings to the new container ([#21630](https://github.com/containers/podman/issues/21630)).
- Fixed a bug where the `podman kube play` command would fail to start empty pods ([#25786](https://github.com/containers/podman/issues/25786)).
- Fixed a bug where the `podman volume ls` command did not output headers when no volumes were present ([#25911](https://github.com/containers/podman/issues/25911)).
- Fixed a bug where healthcheck configuration provided by a container's image could not be overridden unless the `--health-cmd` option was specified when creating the container ([#20212](https://github.com/containers/podman/issues/20212)).
- Fixed a bug where the `--user` option to `podman create` and `podman run` could not be used with users added to the container by the `--hostuser` option ([#25805](https://github.com/containers/podman/issues/25805)).
- Fixed a bug where the `podman system reset` command on FreeBSD would incorrectly print an error.
- Fixed a bug where stopping the `podman machine start` command with SIGINT could result in machine state being incorrectly set to "Starting" ([#24416](https://github.com/containers/podman/issues/24416)).
- Fixed a bug where the `podman machine start` command would fail when starting a VM with volume mounts containing spaces using the HyperV machine provider ([#25500](https://github.com/containers/podman/issues/25500)).
### API
- Fixed a bug where the Compat Create API for Containers ignored ulimits specified in the request when Podman was run rootless ([#25881](https://github.com/containers/podman/issues/25881)).
### Misc
- Erroneous errors from the `ExecStartAndAttach()` function in the Go bindings for the REST API have been silenced, where the function would incorrectly report errors when stdin was consumed after the exec session was stopped ([#25344](https://github.com/containers/podman/issues/25344)).
- Updated Buildah to v1.40.0
- Updated the containers/common library to v0.63.0
- Updated the containers/image library to v5.35.0
- Updated the containers/storage library to v1.58.0
## 5.4.2
### Bugfixes
- Fixed a bug where the `podman import` command could not import images compressed with algorithms other than gzip ([#25593](https://github.com/containers/podman/issues/25593)).
- Fixed a bug where the `podman cp` command could deadlock when copying into a non-empty volume on a container that is not running ([#25585](https://github.com/containers/podman/issues/25585)).
### API
- Fixed a bug where the default values for some fields in the Libpod Create endpoint for Containers did not have sensible defaults for some healthcheck fields, causing unrestricted log growth for containers which did not set these fields ([#25473](https://github.com/containers/podman/issues/25473)).
### Misc
- Updated vendored Buildah to v1.39.4
- Updated the containers/common library to v0.62.3
- Updated the containers/image library to v5.34.3
- Updated the containers/storage library to v1.57.2
## 5.4.1
### Bugfixes
- Fixed a bug where volume quotas were not being applied ([#25368](https://github.com/containers/podman/issues/25368)).
- Fixed a bug where the `--pid-limit=-1` option did not function properly with containers using the `runc` OCI runtime.
- Fixed a bug where the `podman artifact pull` command did not respect the `--retry-delay` option.
- Fixed a bug where Podman would leak a file and directory for every container created.
- Fixed a bug where the `podman wait` command would sometimes error when waiting for a container set to auto-remove.
- Fixed a bug where Quadlet `.kube` units would not report an error (and stay running) even when a pod failed to start ([#20667](https://github.com/containers/podman/issues/20667)).
### API
- Fixed a bug where the Compat DF endpoint did not correctly report total size of all images.
### Misc
- Updated Buildah to v1.39.2
- Updated the containers/common library to v0.62.1
- Updated the containers/image library to v5.34.1
## 5.4.0
### Features
- A preview of Podman's support for OCI artifacts has been added through the `podman artifact` suite of commands, including `add`, `inspect`, `ls`, `pull`, `push`, and `rm`. This support is very early and not fully complete, and the command line interface for these tools has not been finalized. We welcome feedback on the new artifact experience through our issue tracker!
- The `podman update` command now supports a wide variety of options related to healthchecks (including `--health-cmd` to define a new healthcheck and `--no-healthcheck` to disable an existing healthcheck), allowing healthchecks to be added to, removed from, and otherwise updated on existing containers. You can find full details on the 15 added options in the manpage.
- The `--mount type=volume` option for the `podman run`, `podman create`, and `podman volume create` commands now supports a new option, `subpath=`, to make only a subset of the volume visible in the container ([#20661](https://github.com/containers/podman/issues/20661)).
- The `--userns=keep-id` option for the `podman run`, `podman create`, and `podman pod create` commands now supports a new option, `--userns=keep-id:size=`, to configure the size of the user namespace ([#24387](https://github.com/containers/podman/issues/24837)).
- The `podman kube play` command now supports Container Device Interface (CDI) devices ([#17833](https://github.com/containers/podman/issues/17833)).
- The `podman machine init` command now supports a new option, `--playbook`, to run an Ansible playbook in the created VM on first boot for initial configuration.
- Quadlet `.pod` files now support a new field, `ShmSize`, to specify the size of the pod's shared SHM ([#22915](https://github.com/containers/podman/issues/22915)).
- The `podman run`, `podman create`, and `podman pod create` commands now support a new option, `--hosts-file`, to define the base file used for `/etc/hosts` in the container.
- The `podman run`, `podman create`, and `podman pod create` commands now support a new option, `--no-hostname`, which disables the creation of `/etc/hostname` in the container ([#25002](https://github.com/containers/podman/issues/25002)).
- The `podman network create` command now supports a new option for `bridge` networks, `--opt mode=unmanaged`, which allows Podman to use an existing network bridge on the system without changes.
- The `--network` option to `podman run`, `podman create`, and `podman pod create` now accepts a new option for `bridge` networks, `host_interface_name`, which specifies a name for the network interface created outside the container.
- The `podman manifest rm` command now supports a new option, `--ignore`, to not error when removing manifests that do not exist.
- The `podman system prune` command now supports a new option, `--build`, to remove build containers leftover from prematurely terminated builds.
- The `podman events` command now generates events for the creation and removal of networks ([#24032](https://github.com/containers/podman/issues/24032)).
### Breaking Changes
- Due to a lack of availability of hardware to test on, the Podman maintainers are no longer capable of providing full support for Podman on Intel Macs. Binaries and machine images will still be produced, and pull requests related to MacOS on Intel systems will still be merged, but bugs will be fixed on a best effort basis only. We welcome any potential new maintainers who would be able to assist in restoring full support.
- Quadlet previously incorrectly allowed `:` as a character to define comments. This was a mistake; developer intent and documentation was that `#` and `;` were to be used as comment characters instead, matching systemd. This has been corrected, and semicolons now define comments instead of colons.
### Changes
- Podman now passes container hostnames to Netavark, which will use them for any DHCP requests for the container.
- Partial pulls of `zstd:chunked` images now only happen for images that have a `RootFS.DiffID` entry in the image's OCI config JSON, and require the layer contents to match. This resolves issues with image ID ambiguity when partial pulls were enabled.
- Packagers can now set the `BUILD_ORIGIN` environment variable when building podman from the `Makefile`. This provides information on who built the Podman binary, and is displayed in `podman version` and `podman info`. This will help upstream bug reports, allowing maintainers to trace how and where the binary was built and installed from.
### Bugfixes
- Fixed a bug where `podman machine` VMs on WSL could fail to start when using usermode networking could fail to start due to a port conflict ([#20327](https://github.com/containers/podman/issues/20327)).
- Fixed a bug where overlay mounts could not be made at paths where the image specifies a volume ([#24555](https://github.com/containers/podman/issues/24555)).
- Fixed a bug where the `podman build` command did not honor the `no_pivot_root` setting from `containers.conf` ([#24546](https://github.com/containers/podman/issues/24546)).
- Fixed a bug where volumes would have the wrong permissions if `podman cp` was used to copy into a fresh volume in a container that had never been started.
- Fixed a bug where using `podman cp` to copy into a named volume requiring a mount (image volumes, volumes backed by a volume plugin, or other volumes with options) would fail when the container being copied into was stopped.
- Fixed a bug where rlimits would be set incorrectly when Podman was run as root but without `CAP_SYS_RESOURCE` ([#24692](https://github.com/containers/podman/issues/24692)).
- Fixed a bug where the `podman stats --all` command would fail if a container started with `--cgroups=none` was present ([#24632](https://github.com/containers/podman/issues/24632)).
- Fixed a bug where the `podman info` command would only return details on one image store even if additional image stores were configured in `storage.conf`.
- Fixed a bug where the `podman update` command could reset resource limits that were not being modified to default ([#24610](https://github.com/containers/podman/issues/24610)).
- Fixed a bug where the remote Podman client's `podman update` command could not update resource limits on devices mounted into the container ([#24734](https://github.com/containers/podman/issues/24734)).
- Fixed a bug where the `podman manifest annotate` command could panic when the `--index` option was used ([#24750](https://github.com/containers/podman/issues/24750)).
- Fixed a bug where a Quadlet container reusing another container's network could cause errors if the second container was not already running.
- Fixed a bug where Quadlet files containing lines with a trailing backslash could cause an infinite loop during parsing ([#24810](https://github.com/containers/podman/issues/24810)).
- Fixed a bug where Quadlet would, when run as a non-root user, not generate for files in subfolders of `/etc/containers/systemd/users/` ([#24783](https://github.com/containers/podman/issues/24783)).
- Fixed a bug where values in Quadlet files containing octal escape sequences were incorrectly unescaped.
- Fixed a bug where `podman generate kube` could generate persistent volumes with mixed-case names or names containing an underscore, which are not supported by Kubernetes ([#16542](https://github.com/containers/podman/issues/16542)).
- Fixed a bug where the `ptmxmode` option to `--mount type=devpts` did not function.
- Fixed a bug where shell completion on Windows would include `.exe` in the executable name, breaking completion on some shells.
- Fixed a bug where the output of `podman inspect` on containers did not include the ID of the network the container was joined to, improving Docker compatibility ([#24910](https://github.com/containers/podman/issues/24910)).
- Fixed a bug where containers created with the remote API incorrectly included a create command ([#25026](https://github.com/containers/podman/issues/25026)).
- Fixed a bug where it was possible to specify the `libkrun` backend for VMs on Intel Macs (`libkrun` only supports Arm systems).
- Fixed a bug where `libkrun` and `applehv` VMs from `podman machine` could be started at the same time on Macs ([#25112](https://github.com/containers/podman/issues/25112)).
- Fixed a bug where `podman exec` commands could not detach from the exec session using the detach keys ([#24895](https://github.com/containers/podman/issues/24895)).
- Fixed a bug where Podman would fail to start due to a database configuration mismatch when certain fields were configured to the empty string ([#24738](https://github.com/containers/podman/issues/24738)).
### API
- The Compat and Libpod Build APIs for Images now support a new query parameter, `nohosts`, which (when set to true) does not create `/etc/hosts` in the image when building.
- Fixed a bug where the Compat Create API for Containers did not honor CDI devices, preventing (among other things) the use of GPUs with `docker compose` ([#19338](https://github.com/containers/podman/issues/19338)).
### Misc
- The Docker alias script has been fixed to better handle variable substitution.
- Fixed a bug where `podman-restart.service` functioned incorrectly when no containers were present.
- Updated Buildah to v1.39.0
- Updated the containers/common library to v0.62.0
- Updated the containers/storage library to v1.57.1
- Updated the containers/image library to v5.34.0
## 5.3.2
### Security
- This release contains Buildah v1.38.1 which addresses [CVE-2024-11218](https://github.com/advisories/GHSA-5vpc-35f4-r8w6).
### Bugfixes
- Fixed a bug where Quadlet `.build` files could create an invalid podman command line when `Pull=` was used ([#24599](https://github.com/containers/podman/issues/24599)).
- Fixed a bug where the Mac installer did not install the Podman manpages ([#24756](https://github.com/containers/podman/issues/24756)).
### Misc
- Updated Buildah to v1.38.1
- Updated the containers/common library to v0.61.1
- Updated the containers/storage library to v1.56.1
- Updated the containers/image library to v5.33.1
## 5.3.1
### Bugfixes
- Fixed a bug where the `--ignition-path` option to `podman machine init` would prevent creation of necessary files for the VM, rendering it unusable ([#23544](https://github.com/containers/podman/issues/23544)).
- Fixed a bug where rootless containers using the `bridge` networking mode would be unable to start due to a panic caused by a nil pointer dereference ([#24566](https://github.com/containers/podman/issues/24566)).
- Fixed a bug where Podman containers would try to set increased rlimits when started in a user namespace, rendering containers unable to start ([#24508](https://github.com/containers/podman/issues/24508)).
- Fixed a bug where certain SSH configurations would make the remote Podman client unable to connect to the server ([#24567](https://github.com/containers/podman/issues/24567)).
- Fixed a bug where the Windows installer could install WSLv2 when upgrading an existing Podman installation that used the Hyper-V virtualization backend.
## 5.3.0
### Features
- The `podman kube generate` and `podman kube play` commands can now create and run Kubernetes Job YAML ([#17011](https://github.com/containers/podman/issues/17011)).
@ -12,10 +12,10 @@ development efforts occur on the *main* branch. Branches with a
## Release workflow expectations
* You have push access to the [upstream podman repository](https://github.com/containers/podman.git)
* You have push access to the [upstream podman repository](https://github.com/containers/podman.git), and the upstream [podman-machine-os repository](https://github.com/containers/podman-machine-os)
* You understand all basic `git` operations and concepts, like creating commits,
local vs. remote branches, rebasing, and conflict resolution.
* You have access to your public and private *GPG* keys.
* You have access to your public and private *GPG* keys. They should also be documented on our [release keys repo](https://github.com/containers/release-keys).
* You have reliable internet access (i.e. not the public WiFi link at McDonalds)
* Other podman maintainers are online/available for assistance if needed.
* For a **major** release, you have 4-8 hours of time available, most of which will
@ -25,12 +25,11 @@ development efforts occur on the *main* branch. Branches with a
* You will announce the release on the proper platforms
(i.e. Podman blog, Twitter, Mastodon Podman and Podman-Desktop mailing lists)
# Prechecks
# Release cadence
Two days before actually cutting a release (including RCs), send an announcement to the
mailing list about the upcoming release. This will help the Podman Desktop team test and schedule
their own new release.
Upstream major or minor releases occur the 2nd week of February, May, August, November.
Branching and RC's may start several weeks beforehand.
Patch releases occur as-needed.
# Releases
@ -66,9 +65,8 @@ spelled with complete minutiae.
1. Create a new upstream release branch (if none already exist).
1. Check if a release branch is needed. Typically, major and minor version bumps
should be branched sometime during the release candidate phase. Patch
releases typically already have a branch created.
1. Check if a release branch is needed. All major and minor releases should be branched before RC1.
Patch releases typically already have a branch created.
Branching ensures all changes are curated before inclusion in the
release, and no new features land after the *release-candidate* phases
are complete.
@ -78,13 +76,11 @@ spelled with complete minutiae.
`git checkout -b vX.Y`. Where `X.Y` represent the complete release
version-name, including any suffix (if any) like `-rhel`. ***DO NOT***
include any `-rc` suffix in the branch name.
1. Edit the `.cirrus.yml` file, changing the `DEST_BRANCH` value (under the
`env` section) to the new, complete branch name (e.x. `vX.Y`).
Commit and sign, using the description
`Cirrus: Update operating branch`.
1. Push the new branch otherwise unmodified (`git push upstream vX.Y`).
1. Automation will begin executing on the branch immediately. Because
the repository allows out-of-sequence PR merging, it is possible that
1. Check if a release branch is needed on the `podman-machine-os` repo.
If so, repeat above steps for `podman-machine-os`.
1. Back on the podman repo, automation will begin executing on the branch immediately.
Because the repository allows out-of-sequence PR merging, it is possible that
merge order introduced bugs/defects. To establish a clean
baseline, observe the initial CI run on the branch for any unexpected
failures. This can be done by going directly to
@ -153,12 +149,7 @@ spelled with complete minutiae.
1. Commit the `RELEASE_NOTES.md` changes, using the description
`Create release notes for vX.Y.Z` (where `X`, `Y`, and `Z` are the
actual version numbers).
1. Open a Release Notes PR, or include this commit with the version bump PR
* If you decide to open a PR with just release notes, make sure that
the commit has the prefix `[CI:DOCS]` to avoid triggering
lengthy automated testing.
* Otherwise, the release notes commit can also be included in the
following release PR.
1. Open a Release Notes PR, or include this commit with the version bump PR.
1. Update version numbers and push tag
@ -177,29 +168,53 @@ spelled with complete minutiae.
task `Optional Release Test`. In the right-hand window pane, click
the `trigger` button and wait for the test to go green. *This is a
critical step* which confirms the commit is worthy of becoming a release.
1. In the PR, under the *Checks* tab, a GitHub actions [task](https://github.com/containers/podman/actions/workflows/machine-os-pr.yml) will run.
This action opens a PR on the [podman-machine-os repo](https://github.com/containers/podman-machine-os), which builds VM images for the release. The action will also link the `podman-machine-os` pr in a comment on the podman PR
This action also automatically applies the `do-not-merge/wait-machine-image-build` to the Podman PR, which blocks merging until VM images are built and published.
1. Go to the `podman-machine-os` bump pr, by clicking the link in the comment, or by finding it in the [podman-machine-os repo](https://github.com/containers/podman-machine-os/pulls).
1. Wait for automation to finish running
1. Once you are sure that there will be no more force pushes on the Podman release PR, merge the `podman-machine-os` bump PR
1. Tag the `podman-machine-os` bump commit with the same version as the podman release. (git tag -s -m 'vX.Y.Z' vX.Y.Z)
1. Push the tag.
1. The tag will automatically trigger a Cirrus task, named “Publish Image”,
to publish the release images. It will push the images to Quay and cut a release on the `podman-machine-os` repo. Wait for this task to complete. You can monitor the task on the [Cirrus CI dashboard](https://cirrus-ci.com/github/containers/podman-machine-os)
1. Return to the Podman repo
1. The `do-not-merge/wait-podman-machine-os` label should be automatically
un-set once the `podman-machine-os` release is finished.
1. Wait for all other PR checks to pass.
1. Wait for other maintainers to merge the PR.
1. Tag the `Bump to vX.Y.Z` commit as a release by running
`git tag -s -m 'vX.Y.Z' vX.Y.Z $HASH` where `$HASH` is specified explicitly
and carefully, to avoid (basically) unfixable accidents (if they are pushed).
1. Change `version/rawversion/version.go` again. This time, bump the **patch** version and
re-add the `-dev` suffix to indicate this is a non-released version of Podman.
1. Change `contrib/spec/podman.spec.in`, bumping **patch** number of `Version`.
1. Commit these changes with the message `Bump to X.Y.Z-dev`.
1. Push your local branch to your GitHub fork (and the PR) again.
1. The PR should now have two commits that look very similar to
https://github.com/containers/podman/pull/7787
Note: Backports and release note commits may also be included in the release PR.
1. Wait for at least all the "Build" and "Verify" (or similar) CI Testing
steps to complete successfully. No need to wait for complete integration
4and system-testing (it was already done on substantially the same code, above).
1. Merge the PR (or ask someone else to review and merge, to be safer).
`git tag -s -m 'vX.Y.Z' vX.Y.Z $HASH` where `$HASH` is specified explicitly and carefully, to avoid (basically) unfixable accidents
(if they are pushed).
1. **Note:** This is the last point where any test-failures can be addressed
by code changes. After pushing the new version-tag upstream, no further
changes can be made to the code without lots of unpleasant efforts. Please
seek assistance if needed, before proceeding.
1. Assuming the "Bump to ..." PR merged successfully, and you're **really**
confident the correct commit has been tagged, push it with
`git push upstream vX.Y.Z`
1. Monitor release automation
1. After the tag is pushed, the release GitHub action should run.
This action creates the GitHub release from the pushed tag,
and automatically builds and uploads the binaries and installers to the release.
1. The following artifacts should be attached to the release:
* podman-installer-macos-amd64.pkg
* podman-installer-macos-arm64.pkg
* podman-installer-macos-universal.pkg
* podman-installer-windows-amd64.exe
* podman-installer-windows-arm64.exe
* podman-remote-release-darwin_amd64.zip
* podman-remote-release-darwin_arm64.zip
* podman-remote-release-windows_amd64.zip
* podman-remote-release-windows_arm64.zip
* podman-remote-static-linux_amd64.tar.gz
* podman-remote-static-linux_arm64.tar.gz
* shasums
1. An email should have been sent to the [podman](mailto:podman@lists.podman.io) mailing list.
Keep an eye on it make sure the email went through to the list.
1. The release action will also bump the Podman version on podman.io. It will open a PR if a non-rc latest version is released. Go to the [podman.io](https://github.com/containers/podman.io) repo and merge the PR opened by this action, if needed.
1. After the tag is pushed, an action to bump to -dev will run. A PR will be opened for this bump. Merge this PR if needed.
1. Locate, Verify release testing is proceeding
@ -220,68 +235,6 @@ spelled with complete minutiae.
"View All Tasks".
1. Keep this page open to monitor its progress and for use in future steps.
1. Bump main `-dev` version
1. If you made a release branch and bumped **major** or **minor** version
Complete the "Update version numbers and push tag" steps above on the
*main* branch. Bump the **minor** version and set the **patch**
version to 0. For example, after pushing the v2.2.0 release, *main*
should be set to v2.3.0-dev.
1. Create a "Bump to vX.Y.Z-dev" commit with these changes.
1. Update `RELEASE_NOTES.md` on main. Commit these changes.
1. Create a PR with the above commits, and oversee it's merging.
1. Create GitHub Release entry and upload assets
1. Return to the Cirrus-CI Build page for the new release tag, confirm
(or wait for) it to complete, re-running any failed tasks as appropriate.
1. Go to `https://github.com/containers/podman/releases/tag/vX.Y.Z` and
press the "Edit Release" button. Change the name to the form `vX.Y.Z`
1. If this is a release candidate be certain to click the pre-release
checkbox at the bottom of the page.
1. If this new release will be the latest version released, be certain to
click the latest release checkbox at the bottom of the page.
1. Copy and paste the release notes for the release into the body of
the release.
1. Click the Publish button to make the release (or pre-release)
available.
1. For all releases, including RC's, artifacts should be published. The
release-artifacts, upload-win-installer, and mac-pkg GitHub Actions
should automatically take care of building, signing, and uploading artifacts.
Check the "Actions" tab, after publishing you should see the jobs running.
There may be more than one running due to the multiple
event states triggered, but this can be ignored, as any duplicates
will gracefully back-off. The job takes 5-6 minutes to complete.
Please note that the Windows action depends on the artifact action, and will be
triggered after the artifact action succeeds.
If any of these actions are somehow not triggered, you can manually trigger them
### *CLI Approach*
1. Install the [GitHub CLI](https://github.com/cli/cli#installation)
1. Run (replacing below version number to release version)
```
gh workflow run "ACTION NAME" -F version="vX.Y.Z"
```
### *GUI Approach*
1. Go to the "Actions" tab
1. On the left pick the required action to be triggered.
1. A blue box will appear above the job list with a right side drop
-down. Click the drop-down and specify the version number in the
dialog that appears
1. Check that all following artifacts are now attached to the release
* podman-remote-release-darwin_amd64.zip
* podman-remote-release-darwin_arm64.zip
* podman-remote-release-windows_amd64.zip
* podman-vX.Y.Z.msi
* podman-remote-static-linux_amd64.tar.gz
* podman-remote-static-linux_arm64.tar.gz
* podman-installer-macos-amd64.pkg
* podman-installer-macos-arm64.pkg
* podman-5.2.1-setup.exe
* shasums
1. Update Cirrus-CI cron job list
1. After any Major or significant minor (esp. `-rhel`) releases, it's critical to
maintain the Cirrus-CI cron job list. This applies to all containers-org repos,
@ -310,9 +263,5 @@ spelled with complete minutiae.
Highlight key features and important changes or fixes. Link to the GitHub release.
Make sure the blog post is properly tagged with the Announcement, Release, and Podman tags,
and any other appropriate tags.
1. For all releases, including patch releases and RC's, send an email to the [podman](mailto:podman@lists.podman.io) and [podman-desktop](mailto:podman-desktop@lists.podman.io) mailing lists. This should be automated by the release-artifacts
action, but it's best to keep and eye on it to see if the email went through to the lists.
Link the to release blog and GitHub release.
1. Update [LATEST_VERSION](https://github.com/containers/podman.io/blob/main/static/data/global.ts) on the Podman.io website.
1. Tweet the release. Make a Mastodon post about the release.
**Note**: The CNI backend is deprecated and will be removed in the next major Podman version 5.0, in preference
of Netavark, see **[podman-network(1)](../docs/source/markdown/podman-network.1.md)** on how to change the backend.
There are a wide variety of different [CNI](https://github.com/containernetworking/cni) network configurations. This
directory just contains an example configuration that can be used as the
basis for your own configuration.
To use this configuration, place it in `/etc/cni/net.d` (or the directory
specified by `cni_config_dir` in your `containers.conf`).
For example a basic network configuration can be achieved with:
```bash
sudo mkdir -p /etc/cni/net.d
curl -qsSL https://raw.githubusercontent.com/containers/podman/main/cni/87-podman-bridge.conflist | sudo tee /etc/cni/net.d/87-podman-bridge.conflist
```
Dependent upon your CNI configuration, you will need to install as a minimum the `port` and `bridge` [CNI plugins](https://github.com/containernetworking/plugins) into `/opt/cni/bin` (or the directory specified by `cni_plugin_dir` in containers.conf). Please refer to the [CNI](https://github.com/containernetworking) project page in GitHub for more information.
<palign="center"><b>This is the snap for <ahref="https://podman.io/">podman</a></b>, <i>“Managing Pods, Containers, and Container Images in Multiple Formats (Docker, OCI, ...).”</i>. It works on Ubuntu, Fedora, Debian, RHEL, SUSE, and other major Linux
distributions.</p>
<!-- Uncomment and modify this when you are provided a build status badge
<!-- Uncomment and modify this when you have a screenshot
-->
<palign="center">Published for <imgsrc="https://raw.githubusercontent.com/anythingcodes/slack-emoji-for-techies/gh-pages/emoji/tux.png"align="top"width="24"/> with 💝 by Snapcrafters</p>
## Install
sudo snap install podman
([Don't have snapd installed?](https://snapcraft.io/docs/core/install))
## Remaining tasks
<!-- Uncomment and modify this when you have a screenshot
are working to land snap install documentation and
the [snapcraft.yaml](https://github.com/snapcrafters/podman/blob/main/snap/snapcraft.yaml)
upstream so `podman` can authoritatively publish future releases.
- [x] Fork the [Snapcrafters template](https://github.com/snapcrafters/fork-and-rename-me) repository to your own GitHub account.
- If you have already forked the Snapcrafter template to your account and want to create another snap, you'll need to use GitHub's [Import repository](https://github.com/new/import) feature because you can only fork a repository once.
- [x] Rename the forked Snapcrafters template repository
- [x] Update the description of the repository
- [x] Update logos and references to `podman` and `[podman]`
- [ ] Create a snap that runs in `devmode`
- [x] Register the snap in the store, **using the preferred upstream name**
- [ ] Add a screenshot to this `README.md`
- [ ] Publish the `devmode` snap in the Snap store edge channel
- [ ] Add install instructions to this `README.md`
- [ ] Update snap store metadata, icons and screenshots
- [ ] Convert the snap to `strict` confinement, or `classic` confinement if it qualifies
- [ ] Publish the confined snap in the Snap store beta channel
- [ ] Update the install instructions in this `README.md`
- [ ] Post a call for testing on the [Snapcraft Forum](https://forum.snapcraft.io) - [link]()
- [ ] Make a post in the [Snapcraft Forum](https://forum.snapcraft.io) asking for a transfer of the snap name from you to snapcrafters - [link]()
- [ ] Ask a [Snapcrafters admin](https://github.com/orgs/snapcrafters/people?query=%20role%3Aowner) to fork your repo into github.com/snapcrafters, and configure the repo for automatic publishing into edge on commit
- [ ] Add the provided Snapcraft build badge to this `README.md`
- [ ] Publish the snap in the Snap store stable channel
- [ ] Update the install instructions in this `README.md`
- [ ] Post an announcement in the [Snapcraft Forum](https://forum.snapcraft.io) - [link]()
- [ ] Submit a pull request or patch upstream that adds snap install documentation - [link]()
- [ ] Submit a pull request or patch upstream that adds the `snapcraft.yaml` and any required assets/launchers - [link]()
- [ ] Add upstream contact information to the `README.md`
- If upstream accept the PR:
- [ ] Request upstream create a Snap store account
- [ ] Contact the Snap Advocacy team to request the snap be transferred to upstream
- [ ] Ask the Snap Advocacy team to celebrate the snap - [link]()
If you have any questions, [post in the Snapcraft forum](https://forum.snapcraft.io).
Description about important directories in our repository.
### bin/
- Build binaries are put here, podman, podman-remote, quadlet, etc...
### cmd/
- Each directory here builds its own binary.
#### cmd/podman/
- Podman CLI code, CLI commands and flags are defined here, we are using the [Cobra CLI library](https://github.com/spf13/cobra) for command line parsing.
#### cmd/quadlet/
- Quadlet CLI code.
### contrib/
- CI scripts, packaging files some container image build files.
### docs/
- Sphinx based documentation for Podman that is build on [Read the Docs](https://readthedocs.com/) and hosted at [docs.podman.io](https://docs.podman.io/).
- More information is found in [README.md](./README.md).
### libpod/ (only works on linux and freebsd)
- Underlying core for most Podman operations, defines container, pod, volume management operations.
- Contains the database to store these information on disk, either Sqlite or Botldb (our old db format).
- Integrates with our other libraries such as:
- containers/storage to create and mount container storage.
- containers/buildah for building images.
- containers/common/libnetwork for network management.
### pkg/
- Various packages to do all sorts of different things.
#### pkg/api/
- The HTTP REST API server code.
#### pkg/bindings/
- The HTTP REST API client code.
- This package must have a stable API as it is for use by external consumers as well.
#### pkg/domain/
- "glue" code between cli and the actual operations performed.
##### pkg/domain/entities/
- The package defines two interfaces (ContainerEngine, ImageEngine) that more or less have a function for each cli command defined.
- It also defines a lot of types (structs) for the various options the functions accept.
##### pkg/domain/infra/tunnel/
- Implements the two interfaces for the remote mode (podman-remote) which just maps each operations to the bindings code from pkg/bindings which then talks to the remote server.
##### pkg/domain/infra/abi/
- Implements the two interfaces for the local mode (podman) that calls then directly into the core parts of libpod/ or our other libraries containers/{common,image,storage}...
#### pkg/libartifact/
- Core code for the new podman artifact commands.
#### pkg/machine/
- Core code for podman machine commands.
##### pkg/machine/e2e/
- e2e tests for podman machine commands.
- Runs on Windows, MacOS and Linux.
### test/
- Various tests suites, see the test [README.md](../test/README.md) for more details.
- These run on linux only.
### vendor/
- Directory created with "go mod vendor".
- This includes all go deps in our repo, DO NOT edit this directory directly, changes in dependencies must be made in their respective upstream repositories and then updated in go.mod.
@ -13,7 +13,7 @@ Options common to all mount types:
- *src*, *source*: mount source spec for **bind**, **glob**, and **volume**.
Mandatory for **artifact**, **bind**, **glob**, **image** and **volume**.
- *dst*, *destination*, *target*: mount destination spec.
- *dst*, *dest*, *destination*, *target*: mount destination spec.
When source globs are specified without the destination directory,
the files and directories are mounted with their complete path
@ -32,17 +32,28 @@ Options specific to type=**artifact**:
- *title*: If the artifact source contains multiple blobs a title can be set
which is compared against `org.opencontainers.image.title` annotation.
- *name*: This can be used to overwrite the filename we use inside the container
for mounting. On a single blob artifact the name is used as is if *dst* is a
directory and otherwise ignored. With a multi blob artifact the name will be
used with an index suffix `<name>-x` where x is the layer index in the artifact
starting with 0.
The *src* argument contains the name of the artifact, which must already exist locally.
The *dst* argument contains the target path, if the path in the container is a
directory or does not exist the blob title (`org.opencontainers.image.title`
annotation) will be used as filename and joined to the path. If the annotation
does not exist the digest will be used as filename instead. This results in all blobs
of the artifact mounted into the container at the given path.
directory the blob title (`org.opencontainers.image.title` annotation) will be used as
filename and joined to the path. If the annotation does not exist the digest will be
used as filename instead. This results in all blobs of the artifact mounted into the
container at the given path.
However, if the *dst* path is an existing file in the container, then the blob will be
mounted directly on it. This only works when the artifact contains a single blob
or when either *digest* or *title* are specified.
If the *dst* path does not already exist in the container then if the artifact contains
a single blob it behaves like existing file case and mounts directly to that path.
If the artifact has more than one blob it works like the existing directory case and
mounts each blob as file within the *dst* path.
Options specific to type=**volume**:
- *ro*, *readonly*: *true* or *false* (default if unspecified: *false*).
@ -89,6 +100,8 @@ Options specific to type=**tmpfs** and **ramfs**:
- *tmpcopyup*: Enable copyup from the image directory at the same location to the tmpfs/ramfs. Used by default.
- *noatime*: Disable updating file access times when the file is read.
- *notmpcopyup*: Disable copying files from the image to the tmpfs/ramfs.
- *U*, *chown*: *true* or *false* (default if unspecified: *false*). Recursively change the owner and group of the source volume based on the UID and GID of the container.
- **container:**_id_: Reuse another container's network stack.
- **host**: Do not create a network namespace, the container uses the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
- **host**: Use the host's network namespace for the container instead of creating an isolated namespace. Warning: This gives the container full access to abstract Unix domain sockets and to TCP/UDP sockets bound to localhost. Since these mechanisms are often used to prevent access to sensitive system services, isolating them from access by external entities, use of this option may be considered a security vulnerability.
- **ns:**_path_: Path to a network namespace to join.
**auto**[:_OPTIONS,..._]: automatically create a unique user namespace.
* `rootful mode`: The `--userns=auto` flag requires that the user name __containers__ be specified in the /etc/subuid and /etc/subgid files, with an unused range of subordinate user IDs that Podman containers are allowed to allocate.
Example: `containers:2147483647:2147483648`.
* `rootful mode`: The `--userns=auto` flag requires that the user name __containers__ be specified in the /etc/subuid and /etc/subgid files, with an unused range of subordinate user IDs that Podman containers are allowed to allocate. Example: `containers:2147483647:2147483648`.
* `rootless mode`: The users range from the /etc/subuid and /etc/subgid files will be used. Note running a single container without using --userns=auto will use the entire range of UIDs and not allow further subdividing. See subuid(5).
Export the checkpoint to a tar.gz file. The exported checkpoint can be used
to import the *container* on another system and thus enabling container live
migration. This checkpoint archive also includes all changes to the *container's*
root file-system, if not explicitly disabled using **--ignore-rootfs**.
Export the checkpoint to an archive. The archive type is specified with
**--compress**. The exported checkpoint can be used to import the *container* on
another system and thus enabling container live migration. This checkpoint
archive also includes all changes to the *container's* root file-system, if not
explicitly disabled using **--ignore-rootfs**.
#### **--file-locks**
@ -99,7 +100,7 @@ The default is **false**.
#### **--ignore-rootfs**
If a checkpoint is exported to a tar.gz file it is possible with the help of **--ignore-rootfs** to explicitly disable including changes to the root file-system into the checkpoint archive file.\
If a checkpoint is exported to an archive it is possible with the help of **--ignore-rootfs** to explicitly disable including changes to the root file-system into the checkpoint archive file.\
The default is **false**.\
*IMPORTANT: This OPTION only works in combination with __--export, -e__.*
@ -107,7 +108,7 @@ The default is **false**.\
This OPTION must be used in combination with the **--export, -e** OPTION.
When this OPTION is specified, the content of volumes associated with
the *container* is not included into the checkpoint tar.gz file.\
the *container* is not included into the checkpoint archive.\
The default is **false**.
#### **--keep**, **-k**
@ -128,7 +129,7 @@ The default is **false**.
#### **--pre-checkpoint**, **-P**
Dump the *container's* memory information only, leaving the *container* running. Later
operations supersedes prior dumps. It only works on `runc 1.0-rc3` or `higher`.\
operations supersedes prior dumps.\
The default is **false**.
The functionality to only checkpoint the memory of the container and in a second
@ -205,12 +206,12 @@ Create a checkpoint image for the container "mywebserver".
Dumps the container's memory information of the latest container into an archive.
Rename the pod or container, so that it does not conflict with the existing entity. This is helpful when the JSON is to be used before the source pod or container is deleted.
@ -57,6 +57,10 @@ Note: To customize the name of the infra container created during `podman kube p
Note: Use the **io.podman.annotations.pids-limit/$ctrname** annotation to configure the pod's pids limit.
Note: Use the **io.podman.annotations.cpuset/$ctrname** annotation to restrict a container's execution to a specific set of CPU cores. This is equivalent to the `--cpuset-cpus=number` option in podman-run(1).
Note: Use the **io.podman.annotations.memory-nodes/$ctrname** annotation to restrict a container's memory allocations to a specific set of memory nodes on NUMA systems. This is equivalent to the `--cpuset-mems=nodes` option in podman-run(1).
`Kubernetes PersistentVolumeClaims`
A Kubernetes PersistentVolumeClaim represents a Podman named volume. Only the PersistentVolumeClaim name is required by Podman to create a volume. Kubernetes annotations can be used to make use of the available options for Podman volumes.
openshift-merge-bot[bot]
renovate[bot]
Paul Holzinger
Craig Spencer
Arthur Wu
Ygal Blum
Mario Loriedo
Giuseppe Scrivano
flouthoc
Yiqiao Pu
Lewis Roy
Matt Heon
Philipp Wagner
Evan Miller
Chris Hofstaedtler
Chris Evich
Stef Walter
G A Neil Smith
Jake Correnti
Sergio Lopez
Paul Holzinger
Hayato Kihara
Tim Zhou
sushmitha37
shu-kitamura
nbspsemicolon
tomsweeneyredhat
Benjamin Akhras
Daniel P. Berrangé
Jitka Obselkova
Marek Libra
Mike McGrath
Jarek Górny
Penghao
Alessandro Grassi
Brent Baude
Till Maas
Fernando Fernandez Mancera
axel7083
Kir Kolyshkin
Volodymyr Pankin
Warren Young
Erik Sjölund
ArthurWuTW
Lokesh Mandvekar
Hiếu Lê
Ashley Cui
Sonny Sasaka
Nalin Dahyabhai
lstocchi
Joshua Arrevillaga
Miloslav Trmač
Matthew Heon
Povilas Kanapickas
Jan Kaluza
Ryan Gonzalez
François Poirotte
Patrick Barrett
Nicola Sella
Dominique Martinet
Siteshwar Vashisht
Jan Rodák
Šimon Škoda
Matheus Vitório
Stuart Cardall
Mark Johnston
Arthur Sengileyev
Cesar Goncalves
Matej Vašek
Robin Heinemeier
Ricardo Branco
rcmadhankumar
Doug Rabson